Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[confcom] changing version number naming scheme and bugfix for 32bit python #6144

Merged
merged 21 commits into from
May 8, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
21 commits
Select commit Hold shift + click to select a range
69e7970
changing version number naming scheme and bugfix for 32bit python
SethHollandsworth Mar 29, 2023
7b0e904
addressing PR comments
SethHollandsworth Apr 3, 2023
db1efe0
moving where pulling files happens from
SethHollandsworth Apr 3, 2023
0826d37
making a sha256 hash of the security policy print out when injecting …
SethHollandsworth Apr 17, 2023
cdc3be4
taking out the --json option
SethHollandsworth Apr 18, 2023
9e841d5
removing unused function
SethHollandsworth Apr 18, 2023
fd14dfc
Merge pull request #23 from SethHollandsworth/feature/sha256_hash
SethHollandsworth Apr 18, 2023
1eb7f65
adding warnings for save to file and debug mode. fixed bug with numbe…
SethHollandsworth Apr 13, 2023
50be7ac
Merge pull request #22 from SethHollandsworth/update_save_to_file
SethHollandsworth Apr 18, 2023
7217ed9
taking out unused function and fixing style checks
SethHollandsworth Apr 19, 2023
1036a71
adding error checking back in for when dmverity-vhd returns nothing
SethHollandsworth Apr 19, 2023
d0fb0b7
making it so you can disable allow_elevated via the privileged field …
SethHollandsworth Apr 19, 2023
34ddd1d
Merge pull request #20 from SethHollandsworth/feature/allow_elevated
SethHollandsworth Apr 25, 2023
aff3a33
Feature/security context (#18)
hgarvison Apr 27, 2023
6ea9dfd
changing default value of no_new_privileges
SethHollandsworth Apr 27, 2023
220357d
updating tests
SethHollandsworth Apr 27, 2023
f8b0297
Merge pull request #24 from SethHollandsworth/bugfix/changing_no_new_…
SethHollandsworth Apr 27, 2023
2a72e5d
taking allow_elevated out of expected fields in ARM template
SethHollandsworth May 3, 2023
7f2421b
Merge pull request #25 from SethHollandsworth/bugfix/allow_elevated
SethHollandsworth May 4, 2023
faf33ca
adding docs for dmverity hashing and fixing markdown styling
SethHollandsworth May 4, 2023
834fba5
Merge pull request #26 from SethHollandsworth/dmverity_docs
SethHollandsworth May 4, 2023
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion src/confcom/.gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ azext_confcom/bin/
azext_confcom/bin/*
**/dmverity-vhd.exe
**/dmverity-vhd

# metadata file for coverage reports
**/.coverage
**/htmlcov

**/htmlcov
5 changes: 5 additions & 0 deletions src/confcom/HISTORY.rst
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@

Release History
===============
0.2.14
* changing the name of api_svn and framework_svn to api_version and framework_version
* changing fragment versions to an integer instead of semver
* bugfix for allowing 32bit python on a 64bit OS

0.2.13
* fixing bug where you could not pull by sha value if a tag was not specified
* fixing error message when attempting to use sha value with tar files
Expand Down
1 change: 1 addition & 0 deletions src/confcom/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ The `confcom` extension does not currently support:

- [ARM Template functions](https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions) other than `variables` and `parameters`.
- Variables and Parameters with non-primitive data types e.g. objects and arrays
- Nested and Linked ARM Templates

## Trademarks

Expand Down
587 changes: 331 additions & 256 deletions src/confcom/azext_confcom/README.md

Large diffs are not rendered by default.

8 changes: 2 additions & 6 deletions src/confcom/azext_confcom/_help.py
Original file line number Diff line number Diff line change
Expand Up @@ -65,10 +65,6 @@
type: boolean
short-summary: 'When combined with an input ARM Template, verifies the policy present in the ARM Template under "ccePolicy" and the containers within the ARM Template are compatible. If they are incompatible, a list of reasons is given and the exit status code will be 2.'

- name: --json -j
type: string
short-summary: 'Outputs in JSON format instead of Rego'

- name: --outraw
type: boolean
short-summary: 'Output policy in clear text compact JSON instead of default base64 format'
Expand All @@ -90,8 +86,8 @@
text: az confcom acipolicygen --template-file "./template.json"
- name: Input an ARM Template file to create a human-readable Confidential Container Security Policy
text: az confcom acipolicygen --template-file "./template.json" --outraw-pretty-print
- name: Input an ARM Template file to save a Confidential Container Security Policy to a file
text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt"
- name: Input an ARM Template file to save a Confidential Container Security Policy to a file as base64 encoded text
text: az confcom acipolicygen --template-file "./template.json" -s "./output-file.txt" --print-policy
- name: Input an ARM Template file and use a tar file as the image source instead of the Docker daemon
text: az confcom acipolicygen --template-file "./template.json" --tar "./image.tar"
"""
8 changes: 1 addition & 7 deletions src/confcom/azext_confcom/_params.py
Original file line number Diff line number Diff line change
Expand Up @@ -76,12 +76,6 @@ def load_arguments(self, _):
required=False,
help="Disabling container stdio will disable the ability to see the output of the container in the terminal for Confidential ACI",
)
c.argument(
"use_json",
options_list=("--json", "-j"),
required=False,
help="Output in JSON format",
)
c.argument(
"diff",
options_list=("--diff", "-d"),
Expand All @@ -95,7 +89,7 @@ def load_arguments(self, _):
help="Validate that the image used to generate the CCE Policy for a sidecar container will be allowed by its generated policy",
)
c.argument(
"print-existing-policy",
"print_existing_policy",
options_list=("--print-existing-policy"),
required=False,
action="store_true",
Expand Down
1 change: 0 additions & 1 deletion src/confcom/azext_confcom/azext_metadata.json
Original file line number Diff line number Diff line change
@@ -1,4 +1,3 @@
{
"azext.isPreview": true,
"azext.minCliCoreVersion": "2.26.2"
}
39 changes: 36 additions & 3 deletions src/confcom/azext_confcom/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,11 @@
ACI_FIELD_CONTAINERS_MOUNTS_READONLY = "readonly"
ACI_FIELD_CONTAINERS_WAIT_MOUNT_POINTS = "wait_mount_points"
ACI_FIELD_CONTAINERS_ALLOW_ELEVATED = "allow_elevated"
ACI_FIELD_CONTAINERS_SECURITY_CONTEXT = "securityContext"
ACI_FIELD_CONTAINERS_ALLOW_PRIVILEGE_ESCALATION = "allowPrivilegeEscalation"
ACI_FIELD_CONTAINERS_RUN_AS_USER = "runAsUser"
ACI_FIELD_CONTAINERS_RUN_AS_GROUP = "runAsGroup"
ACI_FIELD_CONTAINERS_SECCOMP_PROFILE = "seccompProfile"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS = "fragments"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_FEED = "feed"
ACI_FIELD_CONTAINERS_REGO_FRAGMENTS_ISS = "iss"
Expand All @@ -51,6 +56,7 @@
ACI_FIELD_TEMPLATE_VARIABLES = "variables"
ACI_FIELD_TEMPLATE_VOLUMES = "volumes"
ACI_FIELD_TEMPLATE_IMAGE = "image"
ACI_FIELD_TEMPLATE_SECURITY_CONTEXT = "securityContext"
ACI_FIELD_TEMPLATE_RESOURCE_LABEL = "Microsoft.ContainerInstance/containerGroups"
ACI_FIELD_TEMPLATE_COMMAND = "command"
ACI_FIELD_TEMPLATE_ENVS = "environmentVariables"
Expand All @@ -60,6 +66,10 @@
ACI_FIELD_TEMPLATE_MOUNTS_READONLY = "readOnly"
ACI_FIELD_TEMPLATE_CONFCOM_PROPERTIES = "confidentialComputeProperties"
ACI_FIELD_TEMPLATE_CCE_POLICY = "ccePolicy"
ACI_FIELD_CONTAINERS_PRIVILEGED = "privileged"
ACI_FIELD_CONTAINERS_CAPABILITIES = "capabilities"
ACI_FIELD_CONTAINERS_CAPABILITIES_ADD = "add"
ACI_FIELD_CONTAINERS_CAPABILITIES_DROP = "drop"


# output json values
Expand All @@ -84,9 +94,23 @@
POLICY_FIELD_CONTAINERS_ELEMENTS_MOUNTS_OPTIONS = "options"
POLICY_FIELD_CONTAINERS_ELEMENTS_WAIT_MOUNT_POINTS = "wait_mount_points"
POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_ELEVATED = "allow_elevated"
POLICY_FIELD_CONTAINER_EXEC_PROCESSES = "exec_processes"
POLICY_FIELD_CONTAINER_SIGNAL_CONTAINER_PROCESSES = "signals"
POLICY_FIELD_CONTAINERS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
POLICY_FIELD_CONTAINERS_ELEMENTS_NO_NEW_PRIVILEGES = "no_new_privileges"
POLICY_FIELD_CONTAINERS_ELEMENTS_EXEC_PROCESSES = "exec_processes"
POLICY_FIELD_CONTAINERS_ELEMENTS_SIGNAL_CONTAINER_PROCESSES = "signals"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER = "user"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_USER_IDNAME = "user_idname"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_GROUP_IDNAMES = "group_idnames"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_UMASK = "umask"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_PATTERN = "pattern"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES = "capabilities"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_BOUNDING = "bounding"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_EFFECTIVE = "effective"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_INHERITABLE = "inheritable"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_PERMITTED = "permitted"
POLICY_FIELD_CONTAINERS_ELEMENTS_CAPABILITIES_AMBIENT = "ambient"
POLICY_FIELD_CONTAINERS_ELEMENTS_USER_STRATEGY = "strategy"
POLICY_FIELD_CONTAINERS_ELEMENTS_SECCOMP_PROFILE_SHA256 = "seccomp_profile_sha256"
POLICY_FIELD_CONTAINERS_ELEMENTS_ALLOW_STDIO_ACCESS = "allow_stdio_access"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS = "fragments"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_FEED = "feed"
POLICY_FIELD_CONTAINERS_ELEMENTS_REGO_FRAGMENTS_ISS = "iss"
Expand Down Expand Up @@ -132,5 +156,14 @@
SIDECAR_REGO_FILE = "./data/sidecar_rego_policy.txt"
SIDECAR_REGO_FILE_PATH = f"{script_directory}/{SIDECAR_REGO_FILE}"
SIDECAR_REGO_POLICY = os_util.load_str_from_file(SIDECAR_REGO_FILE_PATH)

# api version
API_VERSION = _config["version_api"]
# default containers to be added to all container groups
DEFAULT_CONTAINERS = _config["default_containers"]
# default container user config to be added for security context
DEFAULT_USER = _config["default_user"]
# default unpriviliged user capabilities to be added for security context
DEFAULT_UNPRIVILEGED_CAPABILITIES = _config["default_unprivileged_capabilities"]
# default priviliged user capabilities to be added for security context
DEFAULT_PRIVILEGED_CAPABILITIES = _config["default_privileged_capabilities"]
Loading