Merge pull request #157 from wazir-ahmed/recommend

recommend: Converted rules spec file to YAML format
kubearmor · Sep 1, 2022 · 129a626 · 129a626
2 parents fd51571 + ae5480e
commit 129a626
Show file tree

Hide file tree

Showing 7 changed files with 206 additions and 195 deletions.
diff --git a/recommend/imageHandler.go b/recommend/imageHandler.go
@@ -19,6 +19,7 @@ import (
 	"time"
 
 	"github.com/clarketm/json"
+	"sigs.k8s.io/yaml"
 
 	"github.com/docker/docker/api/types"
 	"github.com/docker/docker/client"
@@ -279,22 +280,35 @@ func (img *ImageInfo) readManifest(manifest string) {
 }
 
 type distroRule struct {
-	Distro string `json:"distro"`
-	Match  []struct {
-		Path string `json:"path"`
-	} `json:"match"`
+	Name  string `json:"name" yaml:"name"`
+	Match []struct {
+		Path string `json:"path" yaml:"path"`
+	} `json:"match" yaml:"match"`
 }
 
-//go:embed json/distro.json
-var distroJSON []byte
+//go:embed yaml/distro.yaml
+var distroYAML []byte
 
 var distroRules []distroRule
 
 func init() {
-	err := json.Unmarshal(distroJSON, &distroRules)
+	distroJSON, err := yaml.YAMLToJSON(distroYAML)
 	if err != nil {
-		color.Red("failed to unmarshal distro json rules")
-		log.WithError(err).Fatal("failed to unmarshal distro json rules")
+		color.Red("failed to convert distro rules yaml to json")
+		log.WithError(err).Fatal("failed to convert distro rules yaml to json")
+	}
+
+	var jsonRaw map[string]json.RawMessage
+	err = json.Unmarshal(distroJSON, &jsonRaw)
+	if err != nil {
+		color.Red("failed to unmarshal distro rules json")
+		log.WithError(err).Fatal("failed to unmarshal distro rules json")
+	}
+
+	err = json.Unmarshal(jsonRaw["distroRules"], &distroRules)
+	if err != nil {
+		color.Red("failed to unmarshal distro rules")
+		log.WithError(err).Fatal("failed to unmarshal distro rules")
 	}
 }
 
@@ -309,8 +323,8 @@ func (img *ImageInfo) getDistro() {
 			}
 		}
 		if len(d.Match) > 0 && match {
-			color.Green("Distribution %s", d.Distro)
-			img.Distro = d.Distro
+			color.Green("Distribution %s", d.Name)
+			img.Distro = d.Name
 			return
 		}
 	}

diff --git a/recommend/json/distro.json b/recommend/json/distro.json
diff --git a/recommend/json/rules.json b/recommend/json/rules.json
diff --git a/recommend/policy.go b/recommend/policy.go
@@ -37,7 +37,7 @@ func addPolicyRule(policy *types.KubeArmorPolicy, r Rules) {
 
 			dirRule := types.KnoxMatchDirectories{
 				Dir:        path,
-				Recursive:  true,
+				Recursive:  pr.Recursive,
 				FromSource: fromSourceArr,
 			}
 			if pr.Owneronly {

diff --git a/recommend/policyRules.go b/recommend/policyRules.go
@@ -5,78 +5,93 @@ package recommend
 
 import (
 	_ "embed" // need for embedding
+
 	"errors"
 
 	"github.com/clarketm/json"
+	"sigs.k8s.io/yaml"
 
 	"github.com/fatih/color"
 	log "github.com/sirupsen/logrus"
 )
 
 // MatchSpec spec to match for defining policy
 type MatchSpec struct {
-	Name         string      `json:"name"`
-	Precondition string      `json:"precondition"`
-	Description  Description `json:"description"`
-	Rules        Rules       `json:"rules"`
-	OnEvent      OnEvent     `json:"onEvent"`
+	Name         string      `json:"name" yaml:"name"`
+	Precondition string      `json:"precondition" yaml:"precondition"`
+	Description  Description `json:"description" yaml:"description"`
+	Rules        Rules       `json:"rules" yaml:"rules"`
+	OnEvent      OnEvent     `json:"onEvent" yaml:"onEvent"`
 }
 
 // Ref for the policy rules
 type Ref struct {
-	Name string   `json:"name"`
-	URL  []string `json:"url"`
+	Name string   `json:"name" yaml:"name"`
+	URL  []string `json:"url" yaml:"url"`
 }
 
 // Description detailed description for the policy rule
 type Description struct {
-	Refs     []Ref  `json:"refs"`
-	Tldr     string `json:"tldr"`
-	Detailed string `json:"detailed"`
+	Refs     []Ref  `json:"refs" yaml:"refs"`
+	Tldr     string `json:"tldr" yaml:"tldr"`
+	Detailed string `json:"detailed" yaml:"detailed"`
 }
 
 // PathRule specifics for the path/dir rule. Note that if the Path ends in "/" it is considered to be Directory rule
 type PathRule struct {
-	FromSource string   `json:"fromSource"`
-	Path       []string `json:"path"`
-	Recursive  bool     `json:"recursive"`
-	Owneronly  bool     `json:"owneronly"`
+	FromSource string   `json:"fromSource" yaml:"fromSource"`
+	Path       []string `json:"path" yaml:"path"`
+	Recursive  bool     `json:"recursive" yaml:"recursive"`
+	Owneronly  bool     `json:"owneronly" yaml:"owneronly"`
 }
 
 // Rules set of applicable rules. In the future, we might have other types of rules.
 type Rules struct {
-	PathRule PathRule `json:"pathRule"`
+	PathRule PathRule `json:"pathRule" yaml:"pathRule"`
 }
 
 // OnEvent the information that is emitted in the telemetry/alert when the matching event is witnessed
 type OnEvent struct {
-	Severity int      `json:"severity"`
-	Message  string   `json:"message"`
-	Tags     []string `json:"tags"`
-	Action   string   `json:"action"`
+	Severity int      `json:"severity" yaml:"severity"`
+	Message  string   `json:"message" yaml:"message"`
+	Tags     []string `json:"tags" yaml:"tags"`
+	Action   string   `json:"action" yaml:"action"`
 }
 
-var policyMatch []MatchSpec
+var policyRules []MatchSpec
 
-//go:embed json/rules.json
-var ruleSpecJSON []byte
+//go:embed yaml/rules.yaml
+var policyRulesYAML []byte
 
 func init() {
-	err := json.Unmarshal(ruleSpecJSON, &policyMatch)
+	policyRulesJSON, err := yaml.YAMLToJSON(policyRulesYAML)
+	if err != nil {
+		color.Red("failed to convert policy rules yaml to json")
+		log.WithError(err).Fatal("failed to convert policy rules yaml to json")
+	}
+
+	var jsonRaw map[string]json.RawMessage
+	err = json.Unmarshal(policyRulesJSON, &jsonRaw)
+	if err != nil {
+		color.Red("failed to unmarshal policy rules json")
+		log.WithError(err).Fatal("failed to unmarshal policy rules json")
+	}
+
+	err = json.Unmarshal(jsonRaw["policyRules"], &policyRules)
 	if err != nil {
-		color.Red("failed to unmarshal json rules")
-		log.WithError(err).Fatal("failed to unmarshal json rules")
+		color.Red("failed to unmarshal policy rules")
+		log.WithError(err).Fatal("failed to unmarshal policy rules")
 	}
 }
 
 func getNextRule(idx *int) (MatchSpec, error) {
 	if *idx < 0 {
 		(*idx)++
 	}
-	if *idx >= len(policyMatch) {
+	if *idx >= len(policyRules) {
 		return MatchSpec{}, errors.New("no rule at idx")
 	}
-	r := policyMatch[*idx]
+	r := policyRules[*idx]
 	(*idx)++
 	return r, nil
 }
diff --git a/recommend/yaml/distro.yaml b/recommend/yaml/distro.yaml
@@ -0,0 +1,10 @@
+distroRules:
+- name: ubuntu
+  match:
+  - path: "/etc/dpkg/origins/ubuntu"
+- name: debian
+  match:
+  - path: "/etc/dpkg/origins/debian"
+- name: alpine
+  match:
+  - path: "/sbin/apk"