chore: add file permission check

Signed-off-by: Arjun Raja Yogidas <[email protected]>

Author: coderbirju

.github/workflows/ci.yaml

@@ -105,17 +105,19 @@ jobs:
         run: |
           sudo ls /etc/cni/net.d
           sudo rm /etc/cni/net.d/87-podman-bridge.conflist
+      - name: Verify Rego file presence
+        run: ls -l ${{ github.workspace }}/docs/sample-rego-policies/example.rego
+      - name: Set Rego file path
+        run: echo "REGO_FILE_PATH=${{ github.workspace }}/docs/sample-rego-policies/example.rego" >> $GITHUB_ENV
+      - name: Start finch-daemon with opa Authz
+        run: sudo bin/finch-daemon --debug --enable-opa-middleware --rego-file ${{ github.workspace }}/docs/sample-rego-policies/example.rego --skip-rego-perm-check --socket-owner $UID --socket-addr /run/finch.sock --pidfile /run/finch.pid &
+      - name: Run opa e2e tests
+        run: sudo -E make test-e2e-opa
+      - name: Clean up Daemon socket
+        run: sudo rm /run/finch.sock && sudo rm /run/finch.pid
       - name: Start finch-daemon
         run: sudo bin/finch-daemon  --debug --socket-owner $UID &
       - name: Run e2e test
         run: sudo make test-e2e
       - name: Clean up Daemon socket
         run: sudo rm /var/run/finch.sock && sudo rm /run/finch.pid
-      - name: Verify Rego file presence
-        run: ls -l ${{ github.workspace }}/docs/sample-rego-policies/default.rego
-      - name: Set Rego file path
-        run: echo "REGO_FILE_PATH=${{ github.workspace }}/docs/sample-rego-policies/default.rego" >> $GITHUB_ENV
-      - name: Start finch-daemon with opa Authz
-        run: sudo bin/finch-daemon --debug --enable-middleware --rego-file ${{ github.workspace }}/docs/sample-rego-policies/default.rego --socket-owner $UID &
-      - name: Run opa e2e tests
-        run: sudo -E make test-e2e-opa

Makefile

@@ -117,9 +117,10 @@ test-e2e: linux
 .PHONY: test-e2e-opa
 test-e2e-opa: linux
 	DOCKER_HOST="unix:///run/finch.sock" \
-	DOCKER_API_VERSION="v1.43" \
+	DOCKER_API_VERSION="v1.41" \
 	MIDDLEWARE_E2E=1 \
-	TEST_E2E=1 \
+	TEST_E2E=0 \
+	DAEMON_ROOT="$(BIN)/finch-daemon" \
 	$(GINKGO) $(GFLAGS) ./e2e/...
 
 .PHONY: licenses
@@ -134,4 +135,4 @@ coverage: linux
 .PHONY: release
 release: linux
 	@echo "$@"
-	@$(FINCH_DAEMON_PROJECT_ROOT)/scripts/create-releases.sh $(RELEASE_TAG)
+	@$(FINCH_DAEMON_PROJECT_ROOT)/scripts/create-releases.sh $(RELEASE_TAG)

api/router/router.go

@@ -62,16 +62,17 @@ type Options struct {
 func New(opts *Options) (http.Handler, error) {
 	r := mux.NewRouter()
 	r.Use(VersionMiddleware)
+
+	logger := flog.NewLogrus()
+
 	if opts.RegoFilePath != "" {
-		regoMiddleware, err := CreateRegoMiddleware(opts.RegoFilePath)
+		regoMiddleware, err := CreateRegoMiddleware(opts.RegoFilePath, logger)
 		if err != nil {
 			return nil, err
 		}
 		r.Use(regoMiddleware)
 	}
 	vr := types.VersionedRouter{Router: r}
-
-	logger := flog.NewLogrus()
 	system.RegisterHandlers(vr, opts.SystemService, opts.Config, opts.NerdctlWrapper, logger)
 	image.RegisterHandlers(vr, opts.ImageService, opts.Config, logger)
 	container.RegisterHandlers(vr, opts.ContainerService, opts.Config, logger)
@@ -112,7 +113,7 @@ func VersionMiddleware(next http.Handler) http.Handler {
 // CreateRegoMiddleware dynamically parses the rego file at the path specified in options
 // and allows or denies the request based on the policy.
 // Will return a nil function and an error if the given file path is blank or invalid.
-func CreateRegoMiddleware(regoFilePath string) (func(next http.Handler) http.Handler, error) {
+func CreateRegoMiddleware(regoFilePath string, logger *flog.Logrus) (func(next http.Handler) http.Handler, error) {
 	if regoFilePath == "" {
 		return nil, errRego
 	}
@@ -135,20 +136,24 @@ func CreateRegoMiddleware(regoFilePath string) (func(next http.Handler) http.Han
 				Path:   r.URL.Path,
 			}
 
-			fmt.Printf("Evaluating policy rules for API request with Method = %s and Path = %s \n", input.Method, input.Path)
+			logger.Debugf("OPA input being evaluated: Method=%s, Path=%s", input.Method, input.Path)
+
 			rs, err := preppedQuery.Eval(r.Context(), rego.EvalInput(input))
 			if err != nil {
+				logger.Errorf("OPA policy evaluation failed: %v", err)
 				response.SendErrorResponse(w, http.StatusInternalServerError, errInput)
 				return
 			}
 
+			logger.Debugf("OPA evaluation results: %+v", rs)
+
 			if !rs.Allowed() {
-				// need to log evaluation result in order to mitigate Repudiation threat
-				fmt.Printf("Evaluation result: failed, method %s not allowed for path %s \n", r.Method, r.URL.Path)
+				logger.Infof("OPA request denied: Method=%s, Path=%s", r.Method, r.URL.Path)
 				response.SendErrorResponse(w, http.StatusForbidden,
 					fmt.Errorf("method %s not allowed for path %s", r.Method, r.URL.Path))
 				return
 			}
+			logger.Debugf("OPA request allowed: Method=%s, Path=%s", r.Method, r.URL.Path)
 			newReq := r.WithContext(r.Context())
 			next.ServeHTTP(w, newReq)
 		})

cmd/finch-daemon/main.go

@@ -43,15 +43,15 @@ const (
 )
 
 type DaemonOptions struct {
-	debug            bool
-	socketAddr       string
-	socketOwner      int
-	debugAddress     string
-	configPath       string
-	pidFile          string
-	regoFilePath     string
-	enableMiddleware bool
-	regoFileLock     *flock.Flock
+	debug               bool
+	socketAddr          string
+	socketOwner         int
+	debugAddress        string
+	configPath          string
+	pidFile             string
+	regoFilePath        string
+	enableOPAMiddleware bool
+	skipRegoPermCheck   bool
 }
 
 var options = new(DaemonOptions)
@@ -71,7 +71,9 @@ func main() {
 	rootCmd.Flags().StringVar(&options.configPath, "config-file", defaultConfigPath, "Daemon Config Path")
 	rootCmd.Flags().StringVar(&options.pidFile, "pidfile", defaultPidFile, "pid file location")
 	rootCmd.Flags().StringVar(&options.regoFilePath, "rego-file", "", "Rego Policy Path")
-	rootCmd.Flags().BoolVar(&options.enableMiddleware, "enable-middleware", false, "turn on middleware for allowlisting")
+	rootCmd.Flags().BoolVar(&options.enableOPAMiddleware, "enable-opa-middleware", false, "turn on OPA middleware for allowlisting")
+	rootCmd.Flags().BoolVar(&options.skipRegoPermCheck, "skip-rego-perm-check", false, "skip the rego file permission check (allows permissions more permissive than 0600)")
+
 	if err := rootCmd.Execute(); err != nil {
 		log.Printf("got error: %v", err)
 		log.Fatal(err)
@@ -149,10 +151,6 @@ func run(options *DaemonOptions) error {
 	logger := flog.NewLogrus()
 	r, err := newRouter(options, logger)
 	if err != nil {
-		// call regoFile cleanup function here to unlock previously locked file
-		if options.regoFilePath != "" {
-			cleanupRegoFile(options, logger)
-		}
 		return fmt.Errorf("failed to create a router: %w", err)
 	}
 
@@ -202,8 +200,6 @@ func run(options *DaemonOptions) error {
 		}
 	}()
 
-	defer cleanupRegoFile(options, logger)
-
 	sdNotify(daemon.SdNotifyReady, logger)
 	serverWg.Wait()
 	logger.Debugln("Server stopped. Exiting...")
@@ -227,8 +223,8 @@ func newRouter(options *DaemonOptions, logger *flog.Logrus) (http.Handler, error
 	}
 
 	var regoFilePath string
-	if options.enableMiddleware {
-		regoFilePath, err = sanitizeRegoFile(options)
+	if options.enableOPAMiddleware {
+		regoFilePath, err = checkRegoFileValidity(options, logger)
 		if err != nil {
 			return nil, err
 		}

cmd/finch-daemon/router_utils.go

@@ -14,7 +14,6 @@ import (
 	"github.com/containerd/containerd/v2/pkg/namespaces"
 	"github.com/containerd/nerdctl/v2/pkg/api/types"
 	"github.com/containerd/nerdctl/v2/pkg/config"
-	"github.com/gofrs/flock"
 	toml "github.com/pelletier/go-toml/v2"
 	"github.com/runfinch/finch-daemon/api/router"
 	"github.com/runfinch/finch-daemon/internal/backend"
@@ -29,7 +28,6 @@ import (
 	"github.com/runfinch/finch-daemon/pkg/archive"
 	"github.com/runfinch/finch-daemon/pkg/ecc"
 	"github.com/runfinch/finch-daemon/pkg/flog"
-	"github.com/sirupsen/logrus"
 	"github.com/spf13/afero"
 )
 
@@ -94,45 +92,6 @@ func createContainerdClient(conf *config.Config) (*backend.ContainerdClientWrapp
 	return backend.NewContainerdClientWrapper(client), nil
 }
 
-// sanitizeRegoFile validates and prepares the Rego policy file for use.
-// It checks validates the file, acquires a file lock,
-// and sets rego file to be read-only.
-func sanitizeRegoFile(options *DaemonOptions) (string, error) {
-	if options.regoFilePath != "" {
-		if !options.enableMiddleware {
-			return "", fmt.Errorf("rego file path was provided without the --enable-middleware flag, please provide the --enable-middleware flag") // todo, can we default to setting this flag ourselves is this better UX?
-		}
-
-		if err := checkRegoFileValidity(options.regoFilePath); err != nil {
-			return "", err
-		}
-	}
-
-	if options.enableMiddleware && options.regoFilePath == "" {
-		return "", fmt.Errorf("rego file path not provided, please provide the policy file path using the --rego-file flag")
-	}
-
-	fileLock := flock.New(options.regoFilePath)
-
-	locked, err := fileLock.TryLock()
-	if err != nil {
-		return "", fmt.Errorf("error acquiring lock on rego file: %v", err)
-	}
-	if !locked {
-		return "", fmt.Errorf("unable to acquire lock on rego file, it may be in use by another process")
-	}
-
-	// Change file permissions to read-only
-	err = os.Chmod(options.regoFilePath, 0400)
-	if err != nil {
-		fileLock.Unlock()
-		return "", fmt.Errorf("error changing rego file permissions: %v", err)
-	}
-	options.regoFileLock = fileLock
-
-	return options.regoFilePath, nil
-}
-
 // createRouterOptions creates router options by initializing all required services.
 func createRouterOptions(
 	conf *config.Config,
@@ -160,39 +119,37 @@ func createRouterOptions(
 	}
 }
 
-// checkRegoFileValidity verifies that the given rego file exists and has the right file extension.
-func checkRegoFileValidity(regoFilePath string) error {
-	fmt.Println("filepath in checkRegoFileValidity = ", regoFilePath)
-	if _, err := os.Stat(regoFilePath); os.IsNotExist(err) {
-		return fmt.Errorf("provided Rego file path does not exist: %s", regoFilePath)
+// checkRegoFileValidity validates and prepares the Rego policy file for use.
+// It verifies that the file exists, has the right extension (.rego), and has appropriate permissions.
+func checkRegoFileValidity(options *DaemonOptions, logger *flog.Logrus) (string, error) {
+	if options.regoFilePath == "" {
+		return "", fmt.Errorf("rego file path not provided, please provide the policy file path using the --rego-file flag")
 	}
 
-	// Check if the file has a valid extension (.rego)
-	fileExt := strings.ToLower(filepath.Ext(regoFilePath))
-
-	fmt.Println("fileExt = ", fileExt)
-	if fileExt != ".rego" {
-		return fmt.Errorf("invalid file extension for Rego file. Only .rego files are supported")
+	if _, err := os.Stat(options.regoFilePath); os.IsNotExist(err) {
+		return "", fmt.Errorf("provided Rego file path does not exist: %s", options.regoFilePath)
 	}
 
-	return nil
-}
+	// Check if the file has a valid extension (.rego)
+	fileExt := strings.ToLower(filepath.Ext(options.regoFilePath))
 
-func cleanupRegoFile(options *DaemonOptions, logger *flog.Logrus) {
-	if options.regoFileLock == nil {
-		return // Already cleaned up or nothing to clean
+	if fileExt != ".rego" {
+		return "", fmt.Errorf("invalid file extension for Rego file. Only .rego files are supported")
 	}
 
-	// unlock the rego file
-	if err := options.regoFileLock.Unlock(); err != nil {
-		logrus.Errorf("failed to unlock Rego file: %v", err)
-	}
-	logger.Infof("rego file unlocked")
+	if !options.skipRegoPermCheck {
+		fileInfo, err := os.Stat(options.regoFilePath)
+		if err != nil {
+			return "", fmt.Errorf("error checking rego file permissions: %v", err)
+		}
 
-	// make rego file editable
-	if err := os.Chmod(options.regoFilePath, 0600); err != nil {
-		logrus.Errorf("failed to change file permissions of rego file: %v", err)
+		if fileInfo.Mode().Perm()&0177 != 0 {
+			return "", fmt.Errorf("rego file permissions %o are too permissive (maximum allowable permissions: 0600)", fileInfo.Mode().Perm())
+		}
+		logger.Debugf("rego file permissions check passed: %o", fileInfo.Mode().Perm())
+	} else {
+		logger.Warnf("skipping rego file permission check - file may have permissions more permissive than 0600")
 	}
 
-	options.regoFileLock = nil
+	return options.regoFilePath, nil
 }