sprintf improvements and test Kubescape regolib

Author: andreaTP

core/src/main/java/com/styra/opa/wasm/OpaWasm.java

@@ -12,6 +12,7 @@
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Map;
 
 // Low level bindings to OPA
 @WasmModuleInterface("demo-policy.wasm")
@@ -71,26 +72,37 @@ public OpaBuiltin.Builtin[] initializeBuiltins(
             throw new RuntimeException(e);
         }
 
-        var result = new OpaBuiltin.Builtin[mappings.size()];
+        Map<Integer, OpaBuiltin.Builtin> result = new HashMap<>();
         // Default initialization to have proper error messages
         for (var m : mappings.entrySet()) {
-            result[m.getValue()] = () -> m.getKey();
+            result.put(m.getValue(), () -> m.getKey());
         }
         for (var builtin : builtins) {
             if (mappings.containsKey(builtin.name())) {
-                result[mappings.get(builtin.name())] = builtin;
+                result.put(mappings.get(builtin.name()), builtin);
             }
         }
         if (defaultBuiltins) {
             // provided builtins override anything with clashing name
             var all = Provided.all();
             for (var builtin : all) {
                 if (mappings.containsKey(builtin.name())) {
-                    result[mappings.get(builtin.name())] = builtin;
+                    result.put(mappings.get(builtin.name()), builtin);
                 }
             }
         }
-        return result;
+
+        int size = result.keySet().stream().mapToInt(i -> i + 1).max().orElse(0);
+        var finalResult = new OpaBuiltin.Builtin[size];
+        for (int i = 0; i < size; i++) {
+            if (result.containsKey(i)) {
+                finalResult[i] = result.get(i);
+            } else {
+                finalResult[i] = null;
+            }
+        }
+
+        return finalResult;
     }
 
     public static class Builder {

core/src/main/java/com/styra/opa/wasm/builtins/String.java

@@ -60,6 +60,11 @@ private static JsonNode sprintfImpl(OpaWasm instance, JsonNode operand0, JsonNod
 
         // Apply formatting using String.format
         try {
+            // %v partial support
+            if (format.contains("%v")) {
+                format = format.replaceAll("%v", "%s");
+            }
+
             var result = java.lang.String.format(format, args.toArray());
             return TextNode.valueOf(result);
         } catch (IllegalArgumentException e) {

core/src/test/java/com/styra/opa/wasm/OpaTest.java

@@ -105,4 +105,86 @@ public void issue69() throws Exception {
         policy.input("{\"method\":\"POST\"}");
         Assertions.assertFalse(Utils.getResult(policy.evaluate()).asBoolean());
     }
+
+    @Test
+    public void issue78Sprintf() throws Exception {
+        var policyWasm =
+                OpaCli.compile("issue78-sprintf", "armo_builtins/deny").resolve("policy.wasm");
+        var policy = OpaPolicy.builder().withPolicy(policyWasm).build();
+        var pod =
+                "apiVersion: v1\n"
+                        + "kind: Pod\n"
+                        + "metadata:\n"
+                        + "  name: static-web\n"
+                        + "  labels:\n"
+                        + "    role: myrole\n"
+                        + "spec:\n"
+                        + "  securityContext:\n"
+                        + "    runAsNonRoot: false\n"
+                        + "  containers:\n"
+                        + "    - name: web\n"
+                        + "      image: nginx\n"
+                        + "      ports:\n"
+                        + "        - name: web\n"
+                        + "          containerPort: 80\n"
+                        + "          protocol: TCP\n"
+                        + "      securityContext:\n"
+                        + "        runAsGroup: 1000\n";
+
+        // should be an array of Pods
+        var rawInput = DefaultMappers.jsonMapper.createArrayNode();
+        rawInput.add(DefaultMappers.yamlMapper.readTree(pod));
+
+        var input = DefaultMappers.jsonMapper.writeValueAsString(rawInput);
+
+        var result = policy.evaluate(input);
+
+        var resultNode = Utils.getResult(result).get(0);
+        var alertMessage = resultNode.get("alertMessage").asText();
+        var alertScore = resultNode.get("alertScore").asInt();
+
+        assertEquals("container: web in pod: static-web  may run as root", alertMessage);
+        assertEquals(7, alertScore);
+    }
+
+    @Test
+    public void issue78Updated() throws Exception {
+        var policyWasm =
+                OpaCli.compile("issue78-updated", "armo_builtins/deny").resolve("policy.wasm");
+        var policy = OpaPolicy.builder().withPolicy(policyWasm).build();
+        var pod =
+                "apiVersion: v1\n"
+                        + "kind: Pod\n"
+                        + "metadata:\n"
+                        + "  name: static-web\n"
+                        + "  labels:\n"
+                        + "    role: myrole\n"
+                        + "spec:\n"
+                        + "  securityContext:\n"
+                        + "    runAsNonRoot: false\n"
+                        + "  containers:\n"
+                        + "    - name: web\n"
+                        + "      image: nginx\n"
+                        + "      ports:\n"
+                        + "        - name: web\n"
+                        + "          containerPort: 80\n"
+                        + "          protocol: TCP\n"
+                        + "      securityContext:\n"
+                        + "        runAsGroup: 1000";
+
+        // should be an array of Pods
+        var rawInput = DefaultMappers.jsonMapper.createArrayNode();
+        rawInput.add(DefaultMappers.yamlMapper.readTree(pod));
+
+        var input = DefaultMappers.jsonMapper.writeValueAsString(rawInput);
+
+        var result = policy.evaluate(input);
+
+        var resultNode = Utils.getResult(result).get(0);
+        var alertMessage = resultNode.get("alertMessage").asText();
+        var alertScore = resultNode.get("alertScore").asInt();
+
+        assertEquals("container: web in pod: static-web may run as root", alertMessage);
+        assertEquals(7, alertScore);
+    }
 }

core/src/test/resources/fixtures/issue78-sprintf/policy.rego

@@ -0,0 +1,150 @@
+package armo_builtins
+
+
+################################################################################
+# Rules
+deny[msga] {
+    pod := input[_]
+    pod.kind == "Pod"
+	container := pod.spec.containers[i]
+
+	start_of_path := "spec"
+	run_as_user_fixpath := evaluate_workload_run_as_user(container, pod, start_of_path)
+	run_as_group_fixpath := evaluate_workload_run_as_group(container, pod, start_of_path)
+	all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath)
+	count(all_fixpaths) > 0
+	fixPaths := get_fixed_paths(all_fixpaths, i)
+
+    msga := {
+		"alertMessage": sprintf("container: %v in pod: %v  may run as root", [container.name, pod.metadata.name]),
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"reviewPaths": [],
+		"failedPaths": [],
+        "fixPaths": fixPaths,
+		"alertObject": {
+			"k8sApiObjects": [pod]
+		}
+	}
+}
+
+
+deny[msga] {
+    wl := input[_]
+	spec_template_spec_patterns := {"Deployment","ReplicaSet","DaemonSet","StatefulSet","Job"}
+	spec_template_spec_patterns[wl.kind]
+    container := wl.spec.template.spec.containers[i]
+
+	start_of_path := "spec.template.spec"
+	run_as_user_fixpath := evaluate_workload_run_as_user(container, wl.spec.template, start_of_path)
+	run_as_group_fixpath := evaluate_workload_run_as_group(container, wl.spec.template, start_of_path)
+	all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath)
+	count(all_fixpaths) > 0
+	fixPaths := get_fixed_paths(all_fixpaths, i)
+
+    msga := {
+		"alertMessage": sprintf("container: %v in %v: %v may run as root", [container.name, wl.kind, wl.metadata.name]),
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"reviewPaths": [],
+		"failedPaths": [],
+        "fixPaths": fixPaths,
+		"alertObject": {
+			"k8sApiObjects": [wl]
+		}
+	}
+}
+
+# Fails if cronjob has a container configured to run as root
+deny[msga] {
+	wl := input[_]
+	wl.kind == "CronJob"
+	container = wl.spec.jobTemplate.spec.template.spec.containers[i]
+
+	start_of_path := "spec.jobTemplate.spec.template.spec"
+	run_as_user_fixpath := evaluate_workload_run_as_user(container, wl.spec.jobTemplate.spec.template, start_of_path)
+	run_as_group_fixpath := evaluate_workload_run_as_group(container, wl.spec.jobTemplate.spec.template, start_of_path)
+	all_fixpaths := array.concat(run_as_user_fixpath, run_as_group_fixpath)
+	count(all_fixpaths) > 0
+	fixPaths := get_fixed_paths(all_fixpaths, i)
+
+
+    msga := {
+		"alertMessage": sprintf("container: %v in %v: %v  may run as root", [container.name, wl.kind, wl.metadata.name]),
+		"packagename": "armo_builtins",
+		"alertScore": 7,
+		"reviewPaths": [],
+		"failedPaths": [],
+        "fixPaths": fixPaths,
+		"alertObject": {
+			"k8sApiObjects": [wl]
+		}
+	}
+}
+
+
+get_fixed_paths(all_fixpaths, i) = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}, {"path":replace(all_fixpaths[1].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[1].value}]{
+	count(all_fixpaths) == 2
+} else = [{"path":replace(all_fixpaths[0].path,"container_ndx",format_int(i,10)), "value":all_fixpaths[0].value}]
+
+#################################################################################
+# Workload evaluation
+
+# if runAsUser is set to 0 and runAsNonRoot is set to false/ not set - suggest to set runAsUser to 1000
+# if runAsUser is not set and runAsNonRoot is set to false/ not set - suggest to set runAsNonRoot to true
+# all checks are both on the pod and the container level
+evaluate_workload_run_as_user(container, pod, start_of_path) = fixPath {
+	runAsNonRootValue := get_run_as_non_root_value(container, pod, start_of_path)
+	runAsNonRootValue.value == false
+
+	runAsUserValue := get_run_as_user_value(container, pod, start_of_path)
+	runAsUserValue.value == 0
+
+	alertInfo := choose_first_if_defined(runAsUserValue, runAsNonRootValue)
+	fixPath := alertInfo.fixPath
+} else = []
+
+
+# if runAsGroup is set to 0/ not set - suggest to set runAsGroup to 1000
+# all checks are both on the pod and the container level
+evaluate_workload_run_as_group(container, pod, start_of_path) = fixPath {
+	runAsGroupValue := get_run_as_group_value(container, pod, start_of_path)
+	runAsGroupValue.value == 0
+
+	fixPath := runAsGroupValue.fixPath
+} else = []
+
+
+#################################################################################
+# Value resolution functions
+
+
+get_run_as_non_root_value(container, pod, start_of_path) = runAsNonRoot {
+    runAsNonRoot := {"value" : container.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true}
+} else = runAsNonRoot {
+    runAsNonRoot := {"value" : pod.spec.securityContext.runAsNonRoot, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}], "defined" : true}
+}  else = {"value" : false, "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]) , "value":"true"}], "defined" : false}
+
+get_run_as_user_value(container, pod, start_of_path) = runAsUser {
+	path := sprintf("%v.containers[container_ndx].securityContext.runAsUser", [start_of_path])
+    runAsUser := {"value" : container.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}], "defined" : true}
+} else = runAsUser {
+	path := sprintf("%v.securityContext.runAsUser", [start_of_path])
+    runAsUser := {"value" : pod.spec.securityContext.runAsUser, "fixPath": [{"path": path, "value": "1000"}],"defined" : true}
+} else = {"value" : 0, "fixPath": [{"path":  sprintf("%v.containers[container_ndx].securityContext.runAsNonRoot", [start_of_path]), "value":"true"}],
+	"defined" : false}
+
+get_run_as_group_value(container, pod, start_of_path) = runAsGroup {
+	path := sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path])
+    runAsGroup := {"value" : container.securityContext.runAsGroup, "fixPath": [{"path": path, "value": "1000"}],"defined" : true}
+} else = runAsGroup {
+	path := sprintf("%v.securityContext.runAsGroup", [start_of_path])
+    runAsGroup := {"value" : pod.spec.securityContext.runAsGroup, "fixPath":[{"path": path, "value": "1000"}], "defined" : true}
+} else = {"value" : 0, "fixPath": [{"path": sprintf("%v.containers[container_ndx].securityContext.runAsGroup", [start_of_path]), "value":"1000"}],
+ 	"defined" : false
+}
+
+choose_first_if_defined(l1, l2) = c {
+    l1.defined
+    c := l1
+} else = l2