Skip to content

Commit

Permalink
Initial policy management implementation
Browse files Browse the repository at this point in the history
Add a new service node, "management". Implement API for updating and
querying policies via this node.

Signed-off-by: Sergei Trofimov <[email protected]>
  • Loading branch information
setrofim committed Jul 24, 2023
1 parent e46d50a commit 9856c2a
Show file tree
Hide file tree
Showing 24 changed files with 940 additions and 11 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ integration-tests/.built
__generated__
__pycache__
__debug_bin
management/cmd/management-service/management-service

# Test binary, built with `go test -c`
*.test
Expand Down
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ SUBDIR += config
SUBDIR += handler
SUBDIR += kvstore
SUBDIR += log
SUBDIR += management
SUBDIR += plugin
SUBDIR += policy
SUBDIR += proto
Expand Down
12 changes: 10 additions & 2 deletions deployments/docker/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ SRC_DIR := $(THIS_DIR)src/
BUILDER_CONTEXT := $(CONTEXT_DIR)/builder

vts_FLAGS := -v $(STORES_VOLUME):/opt/veraison/stores
management_FLAGS := -v $(STORES_VOLUME):/opt/veraison/stores -p $(MANAGEMENT_PORT):$(MANAGEMENT_PORT)
provisioning_FLAGS := -p $(PROVISIONING_PORT):$(PROVISIONING_PORT)
verification_FLAGS := -p $(VERIFICATION_PORT):$(VERIFICATION_PORT)

Expand Down Expand Up @@ -85,7 +86,8 @@ services:
@# image targets (possibly because of the need to recursively resolve %,
@# but I haven't looked too much into it). Recursively calling $(MAKE) here
@# resolves the issue.
$(MAKE) .built/vts-container .built/provisioning-container .built/verification-container
$(MAKE) .built/vts-container .built/provisioning-container .built/verification-container \
.built/management-container

.PHONY: vts
vts: deploy .built/vts-container
Expand All @@ -105,6 +107,12 @@ verification: deploy .built/verification-container
.PHONY: verification-image
verification-image: deploy .built/verification-image

.PHONY: management
management: deploy .built/management-container

.PHONY: management-image
management-image: deploy .built/management-image

.PHONY: network
network: .built/network

Expand Down Expand Up @@ -165,7 +173,7 @@ docker-clean:
docker volume rm -f $(DEPLOY_DEST); \
fi
@# -f ensures exit code 0, even if image doesn't exist
docker container rm -f vts-service provisioning-service verification-service
docker container rm -f vts-service provisioning-service verification-service management-service
docker volume rm -f veraison-logs veraison-stores
@# ubuntu uses an older version of docker without -f option for network; hence the || : cludge
docker network rm $(VERAISON_NETWORK) || :
Expand Down
1 change: 1 addition & 0 deletions deployments/docker/deployment.cfg
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ VERAISON_NETWORK=veraison-net
VTS_PORT=50051
PROVISIONING_PORT=8888
VERIFICATION_PORT=8080
MANAGEMENT_PORT=8088

# Deploy destination is either an absolute path to a directory on the host, or
# the name of a docker volume.
Expand Down
2 changes: 1 addition & 1 deletion deployments/docker/src/builder-dispatcher
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ function deploy() {
cp $BUILD_DIR/provisioning/cmd/provisioning-service/provisioning-service $DEPLOY_DIR/
cp $BUILD_DIR/verification/cmd/verification-service/verification-service $DEPLOY_DIR/
cp $BUILD_DIR/vts/cmd/vts-service/vts-service $DEPLOY_DIR/
cp $BUILD_DIR/vts/cmd/vts-service/vts-service $DEPLOY_DIR/
cp $BUILD_DIR/management/cmd/management-service/management-service $DEPLOY_DIR/
cp $BUILD_DIR/scheme/bin/* $DEPLOY_DIR/plugins/
cp $BUILD_DIR/deployments/docker/src/skey.jwk $DEPLOY_DIR/
cp $BUILD_DIR/deployments/docker/src/service-entrypoint $DEPLOY_DIR/
Expand Down
2 changes: 2 additions & 0 deletions deployments/docker/src/config.yaml.template
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ provisioning:
listen-addr: 0.0.0.0:${PROVISIONING_PORT}
verification:
listen-addr: 0.0.0.0:${VERIFICATION_PORT}
management:
listen-addr: 0.0.0.0:${MANAGEMENT_PORT}
vts:
server-addr: vts-service:${VTS_PORT}
ear-signer:
Expand Down
1 change: 1 addition & 0 deletions deployments/docker/src/load-config.mk
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ VERAISON_NETWORK ?= veraison-net
VTS_PORT ?= 50051
PROVISIONING_PORT ?= 8888
VERIFICATION_PORT ?= 8080
MANAGEMENT_PORT ?= 8088

# Deploy destination is either an absolute path to a directory on the host, or
# the name of a docker volume.
Expand Down
28 changes: 28 additions & 0 deletions deployments/docker/src/management.docker
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
# Management service container.
# The context for building this image is assumed to be the Veraison deployment
# directory (/tmp/veraison is the default for make build).
FROM debian as veraison-management

RUN apt-get update \
&& DEBIAN_FRONTEND=noninteractive apt-get install \
--assume-yes \
--no-install-recommends \
uuid-runtime \
&& uuidgen | tr -d - > /etc/machine-id \
&& apt-get clean \
&& apt-get autoremove --assume-yes \
&& rm -rf /var/lib/apt/lists/* /var/tmp/* /tmp/*

RUN groupadd -g 616 veraison && \
useradd -m -g veraison --system veraison

USER veraison

WORKDIR /opt/veraison

ADD --chown=veraison:nogroup plugins plugins
ADD --chown=veraison:nogroup config.yaml management-service service-entrypoint ./

ENTRYPOINT ["/opt/veraison/service-entrypoint"]
CMD ["/opt/veraison/management-service"]

27 changes: 25 additions & 2 deletions deployments/docker/veraison
Original file line number Diff line number Diff line change
Expand Up @@ -8,19 +8,21 @@ function status() {
local vts=$(_get_container_state vts-service)
local prov=$(_get_container_state provisioning-service)
local verif=$(_get_container_state verification-service)
local manage=$(_get_container_state management-service)

if [[ $_quiet == true ]]; then
local vts=$(_strip_color $vts)
local prov=$(_strip_color $prov)
local verif=$(_strip_color $verif)
local manage=$(_strip_color $manage)

local status="${_yell}stopped${_reset}"

if [[ "$vts" == "running" || "$prov" == "running" || "$verif" == "running" ]]; then
if [[ "$vts" == "running" || "$prov" == "running" || "$verif" == "running" || "$manage" == "running" ]]; then
status="${_yell}partial${_yell}"
fi

if [[ "$vts" == "running" && "$prov" == "running" && "$verif" == "running" ]]; then
if [[ "$vts" == "running" && "$prov" == "running" && "$verif" == "running" && "$manage" == "running" ]]; then
status="${_green}running${_reset}"
fi

Expand All @@ -29,6 +31,7 @@ function status() {
echo -e " vts: $vts"
echo -e "provisioning: $prov"
echo -e "verification: $verif"
echo -e " management: $manage"
fi
}

Expand All @@ -40,12 +43,15 @@ function start() {
sleep 0.5 # wait for vts to start before starting the services that depend on it.
start_provisioning
start_verification
start_management
elif [[ "$what" == "vts" || "$what" == "vts-service" ]]; then
start_vts
elif [[ "$what" == "provisioning" || "$what" == "provisioning-service" ]]; then
start_provisioning
elif [[ "$what" == "verification" || "$what" == "verification-service" ]]; then
start_verification
elif [[ "$what" == "management" || "$what" == "management-service" ]]; then
start_management
else
echo -e "$_error: unknown service: $what"
exit 1
Expand All @@ -56,6 +62,7 @@ function stop() {
local what=$1

if [[ "x$what" == "x" ]]; then
stop_management
stop_verification
stop_provisioning
stop_vts
Expand All @@ -65,6 +72,8 @@ function stop() {
stop_provisioning
elif [[ "$what" == "verification" || "$what" == "verification-service" ]]; then
stop_verification
elif [[ "$what" == "management" || "$what" == "management-service" ]]; then
stop_management
else
echo -e "$_error: unknown service: $what"
exit 1
Expand All @@ -80,6 +89,8 @@ function follow() {
follow_provisioning
elif [[ "$what" == "verification" || "$what" == "verification-service" ]]; then
follow_verification
elif [[ "$what" == "management" || "$what" == "management-service" ]]; then
follow_management
else
echo -e "$_error: unknown service: $what"
exit 1
Expand Down Expand Up @@ -122,6 +133,18 @@ function follow_verification() {
docker container logs --follow --timestamps verification-service
}

function start_management() {
docker container start management-service
}

function stop_management() {
docker container stop management-service
}

function follow_management() {
docker container logs --follow --timestamps management-service
}

function manager() {
docker container run --rm -t \
--network veraison-net \
Expand Down
5 changes: 0 additions & 5 deletions integration-tests/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -26,11 +26,6 @@ CONTAINER_FLAGS := --env-file $(DEPLOYMENT_SRC_DIR)deployment.cfg --network ver
-v $(THIS_DIR):/integration-tests \
-v $(STORES_VOLUME):/opt/veraison/stores

DEPLOYMENT_DEPS := $(DEPLOYMENT_SRC_DIR).built/network \
$(DEPLOYMENT_SRC_DIR).built/vts-container \
$(DEPLOYMENT_SRC_DIR).built/provisioning-container \
$(DEPLOYMENT_SRC_DIR).built/verification-container

CLEANFILES := .pytest_cache utils/__pycache__ __generated__

.PHONY: image
Expand Down
3 changes: 3 additions & 0 deletions integration-tests/data/policies/psa-short.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
package policy

executables = APPROVED_RT
9 changes: 9 additions & 0 deletions integration-tests/data/policies/psa.rego
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package policy

executables = APPROVED_RT {
some i

evidence["psa-software-components"][i]["measurement-type"] == "BL"

semver_cmp(evidence["psa-software-components"][i].version, "3.5") >= 0
} else = UNSAFE_RT
1 change: 1 addition & 0 deletions integration-tests/docker/bashrc
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ export PATH=~/.local/bin:$PATH
export PYTHONPATH=$PYTHONPATH:/integration-testing/utils
export PROVISIONING_HOST=provisioning-service
export VERIFICATION_HOST=verification-service
export MANAGEMENT_HOST=management-service
export PS1='\e[0;32m\u@debug-container \e[0;34m\w\n\e[0;32m$\e[0m '

alias ll='ls -lh --color=auto'
Expand Down
1 change: 1 addition & 0 deletions integration-tests/tests/common.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ description: Common test information
variables:
provisioning-service: '{tavern.env_vars.PROVISIONING_HOST}.{tavern.env_vars.VERAISON_NETWORK}:{tavern.env_vars.PROVISIONING_PORT}'
verification-service: '{tavern.env_vars.VERIFICATION_HOST}.{tavern.env_vars.VERAISON_NETWORK}:{tavern.env_vars.VERIFICATION_PORT}'
management-service: '{tavern.env_vars.MANAGEMENT_HOST}.{tavern.env_vars.VERAISON_NETWORK}:{tavern.env_vars.MANAGEMENT_PORT}'
good-nonce: QUp8F0FBs9DpodKK8xUg8NQimf6sQAfe2J1ormzZLxk=
bad-nonce: Ppfdfe2JzZLOk=
endorsements-content-types:
Expand Down
Loading

0 comments on commit 9856c2a

Please sign in to comment.