Skip to content

Commit

Permalink
[confcom] changing version number naming scheme and bugfix for 32bit …
Browse files Browse the repository at this point in the history
…python (#6144)

* changing version number naming scheme and bugfix for 32bit python

* addressing PR comments

* moving where pulling files happens from

* making a sha256 hash of the security policy print out when injecting into arm template

* taking out the --json option

* removing unused function

* adding warnings for save to file and debug mode. fixed bug with numbers for template parameters

* taking out unused function and fixing style checks

* adding error checking back in for when dmverity-vhd returns nothing

* making it so you can disable allow_elevated via the privileged field in the arm template

* Feature/security context (#18)

* securityContext

---------

Co-authored-by: Seth Hollandsworth <[email protected]>
Co-authored-by: Seth Hollandsworth <[email protected]>

* changing default value of no_new_privileges

* updating tests

* taking allow_elevated out of expected fields in ARM template

* adding docs for dmverity hashing and fixing markdown styling

---------

Co-authored-by: Heather Garvison <[email protected]>
  • Loading branch information
SethHollandsworth and hgarvison authored May 8, 2023
1 parent 0194f58 commit ead702f
Show file tree
Hide file tree
Showing 26 changed files with 3,158 additions and 717 deletions.
4 changes: 3 additions & 1 deletion src/confcom/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ azext_confcom/bin/
azext_confcom/bin/*
**/dmverity-vhd.exe
**/dmverity-vhd

# metadata file for coverage reports
**/.coverage
**/htmlcov

**/htmlcov
5 changes: 5 additions & 0 deletions src/confcom/HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@
Release History
===============
0.2.14
* changing the name of api_svn and framework_svn to api_version and framework_version
* changing fragment versions to an integer instead of semver
* bugfix for allowing 32bit python on a 64bit OS

0.2.13
* fixing bug where you could not pull by sha value if a tag was not specified
* fixing error message when attempting to use sha value with tar files
Expand Down
1 change: 1 addition & 0 deletions src/confcom/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ The `confcom` extension does not currently support:

- [ARM Template functions](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions) other than `variables` and `parameters`.
- Variables and Parameters with non-primitive data types e.g. objects and arrays
- Nested and Linked ARM Templates

## Trademarks

Expand Down
587 changes: 331 additions & 256 deletions src/confcom/azext_confcom/README.md

Large diffs are not rendered by default.

8 changes: 2 additions & 6 deletions src/confcom/azext_confcom/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,6 @@
type: boolean
short-summary: 'When combined with an input ARM Template, verifies the policy present in the ARM Template under "ccePolicy" and the containers within the ARM Template are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.'
- name: --json -j
type: string
short-summary: 'Outputs in JSON format instead of Rego'
- name: --outraw
type: boolean
short-summary: 'Output policy in clear text compact JSON instead of default base64 format'
Expand All @@ -90,8 +86,8 @@
text: az confcom acipolicygen --template-file "./template.json"
- name: Input an ARM Template file to create a human-readable Confidential Container Security Policy
text: az confcom acipolicygen --template-file "./template.json" --outraw-pretty-print
- name: Input an ARM Template file to save a Confidential Container Security Policy to a file
text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt"
- name: Input an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text
text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policy
- name: Input an ARM Template file and use a tar file as the image source instead of the Docker daemon
text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"
"""
8 changes: 1 addition & 7 deletions src/confcom/azext_confcom/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,6 @@ def load_arguments(self, _):
required=False,
help="Disabling container stdio will disable the ability to see the output of the container in the terminal for Confidential ACI",
)
c.argument(
"use_json",
options_list=("--json", "-j"),
required=False,
help="Output in JSON format",
)
c.argument(
"diff",
options_list=("--diff", "-d"),
Expand All @@ -95,7 +89,7 @@ def load_arguments(self, _):
help="Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy",
)
c.argument(
"print-existing-policy",
"print_existing_policy",
options_list=("--print-existing-policy"),
required=False,
action="store_true",
Expand Down
1 change: 0 additions & 1 deletion src/confcom/azext_confcom/azext_metadata.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{
"azext.isPreview": true,
"azext.minCliCoreVersion": "2.26.2"
}
39 changes: 36 additions & 3 deletions src/confcom/azext_confcom/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@
ACI_FIELD_CONTAINERS_MOUNTS_READONLY = "readonly"
ACI_FIELD_CONTAINERS_WAIT_MOUNT_POINTS = "wait_mount_points"
ACI_FIELD_CONTAINERS_ALLOW_ELEVATED = "allow_elevated"
ACI_FIELD_CONTAINERS_SECURITY_CONTEXT = "securityContext"
ACI_FIELD_CONTAINERS_ALLOW_PRIVILEGE_ESCALATION = "allowPrivilegeEscalation"
ACI_FIELD_CONTAINERS_RUN_AS_USER = "runAsUser"
ACI_FIELD_CONTAINERS_RUN_AS_GROUP = "runAsGroup"
ACI_FIELD_CONTAINERS_SECCOMP_PROFILE = "seccompProfile"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS = "fragments"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_FEED = "feed"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_ISS = "iss"
Expand All @@ -51,6 +56,7 @@
ACI_FIELD_TEMPLATE_VARIABLES = "variables"
ACI_FIELD_TEMPLATE_VOLUMES = "volumes"
ACI_FIELD_TEMPLATE_IMAGE = "image"
ACI_FIELD_TEMPLATE_SECURITY_CONTEXT = "securityContext"
ACI_FIELD_TEMPLATE_RESOURCE_LABEL = "Microsoft.ContainerInstance/containerGroups"
ACI_FIELD_TEMPLATE_COMMAND = "command"
ACI_FIELD_TEMPLATE_ENVS = "environmentVariables"
Expand All @@ -60,6 +66,10 @@
ACI_FIELD_TEMPLATE_MOUNTS_READONLY = "readOnly"
ACI_FIELD_TEMPLATE_CONFCOM_PROPERTIES = "confidentialComputeProperties"
ACI_FIELD_TEMPLATE_CCE_POLICY = "ccePolicy"
ACI_FIELD_CONTAINERS_PRIVILEGED = "privileged"
ACI_FIELD_CONTAINERS_CAPABILITIES = "capabilities"
ACI_FIELD_CONTAINERS_CAPABILITIES_ADD = "add"
ACI_FIELD_CONTAINERS_CAPABILITIES_DROP = "drop"


# output json values
Expand All @@ -84,9 +94,23 @@
POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_OPTIONS = "options"
POLICY_FIELD_CONTAINERS_ELEMENTS_WAIT_MOUNT_POINTS = "wait_mount_points"
POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED = "allow_elevated"
POLICY_FIELD_CONTAINER_EXEC_PROCESSES = "exec_processes"
POLICY_FIELD_CONTAINER_SIGNAL_CONTAINER_PROCESSES = "signals"
POLICY_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES = "no_new_privileges"
POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES = "exec_processes"
POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES = "signals"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER = "user"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_USER_IDNAME = "user_idname"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_GROUP_IDNAMES = "group_idnames"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_UMASK = "umask"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_PATTERN = "pattern"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES = "capabilities"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_BOUNDING = "bounding"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_EFFECTIVE = "effective"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_INHERITABLE = "inheritable"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_PERMITTED = "permitted"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_AMBIENT = "ambient"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_STRATEGY = "strategy"
POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256 = "seccomp_profile_sha256"
POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS = "fragments"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_FEED = "feed"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_ISS = "iss"
Expand Down Expand Up @@ -132,5 +156,14 @@
SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt"
SIDECAR_REGO_FILE_PATH = f"{script_directory}/{SIDECAR_REGO_FILE}"
SIDECAR_REGO_POLICY = os_util.load_str_from_file(SIDECAR_REGO_FILE_PATH)

# api version
API_VERSION = _config["version_api"]
# default containers to be added to all container groups
DEFAULT_CONTAINERS = _config["default_containers"]
# default container user config to be added for security context
DEFAULT_USER = _config["default_user"]
# default unpriviliged user capabilities to be added for security context
DEFAULT_UNPRIVILEGED_CAPABILITIES = _config["default_unprivileged_capabilities"]
# default priviliged user capabilities to be added for security context
DEFAULT_PRIVILEGED_CAPABILITIES = _config["default_privileged_capabilities"]
Loading

0 comments on commit ead702f

Please sign in to comment.