Adding a Rego Policy Enforcer

[matajoh]

The standard policy enforcer is a domain-specific logical language implemented in go over JSON. In the future, policy enforcement will need to increase in complexity and coverage. Instead of increasing the complexity of the DSL in turn to address these needs, it is preferable to use a policy language designed to express these constraints, such as Rego. This PR adds an alternate Rego policy enforcer which expresses the same logic as the StandardPolicyEnforcer entirely in Rego.

We've added a RegoPolicy which implements SecurityPolicyEnforcer in securitypolicyenforcer_rego.go and a full test suite in regopolicy_test.go. The main design idea is that there are three elements which are used for evaluating the policy:

1. Policy objects (i.e., containers) which are translated into Rego from our existing JSON format.
2. Policy behavior, which is Rego that is in source control (policy.rego) which translates the enforcement logic currently in securitypolicyenforcer.go.
3. Policy data (i.e., state) which is maintained over the course of enforcement and fed into the Rego during a query

There is an additional element, namely the Microsoft Policy Framework (in framework.rego) which contains the majority of the enforcement logic. While at the moment this is used by the static policy.rego file, in the future it can be made available to customers who can choose to author their own policies.

To add some details on the implementation, for each Enforce* method, we query the Rego policy with a set input. On success, we modify the data object. For a simple example, see how EnforceDeviceMount works:

func (policy *RegoEnforcer) EnforceDeviceMountPolicy(target string, deviceHash string) error {
	policy.mutex.Lock()
	defer policy.mutex.Unlock()

	input := map[string]interface{}{
		"name":       "mount_device",
		"target":     target,
		"deviceHash": deviceHash,
	}
	result, err := policy.Query(input)
	if err != nil {
		return err
	}

	if !result.Allowed() {
		input_json, err := json.Marshal(input)
		if err != nil {
			return fmt.Errorf("Unable to marshal the Rego input data.")
		}

		return fmt.Errorf("device mount not allowed by policy.\ninput: %s", string(input_json))
	}

	deviceMap := policy.data["devices"].(map[string]string)
	if _, found := deviceMap[target]; found {
		input_json, err := json.Marshal(input)
		if err != nil {
			return fmt.Errorf("Unable to marshal the Rego input data.")
		}

		return fmt.Errorf("device %s already mounted.\ninput: %s", target, string(input_json))
	}

	deviceMap[target] = deviceHash
	return nil
}

The corresponding Rego for this is:

default mount_device := false
mount_device := true {
    some container in data.policy.containers
    some layer in container.layers
    input.deviceHash == layer
}

We believe that this logic is much easier to reason about and maintain over time as opposed to the current system, while also allowing for a straightforward expansion in coverage over time.

Note
This PR was intended to be additive and non-invasive, but in order to add the Rego dependencies
multiple package revs appeared to be required. This is the source of the vast majority of the files
that have been touched (i.e., in the vendor directory).

[kevpar]

It doesn't look like this line is actually logging anything, as it doesn't have a call to Error, Info, etc.

[SeanTAllen]

@matajoh is this supposed to be .Error() ?

[kevpar]

Also for nit PR: objects is the user's input policy, right? So I think we shouldn't bother logging it here at all (maybe just log it once as Debug when we read it in).

[matajoh]

I made this change based on a recommendation from @anmaxvl. Whatever is the desired convention for this repo should be used.

[kevpar]

I am fairly certain as written this line does not log anything. It creates a temporary logger object that has an error and fields associated with it, but then we don't call anything like Error on it, so that logger just gets thrown away.

Personally I'd be more in favor of just removing this line and logging the generated Rego when we construct the enforcer (as I commented above).

[kevpar]

Prefer to write this as:

log.G(ctx).WithField("output", output).Debug("rego query output")

[kevpar]

This makes it more clear in the logs what is being written.

[SeanTAllen]

I'll leave this to @matajoh as I'm not sure of the correct change. Your suggestion looks reasonable to me, but I'm not positive it is correct.

[kevpar]

We can take this to the nit PR.

[matajoh]

This is perfectly fine as an alternate. I have no strong opinion here.

[kevpar]

@anmaxvl when did we decide we're going to work on splitting out stuff from pkg/securitypolicy that can live in internal instead?

[kevpar]

Rather than printing the serialized input JSON, I think we should just print the target and deviceHash inputs. That will look better in an error string, where we want to avoid newlines.

e.g. fmt.Errorf("device mount of %s to %s not allowed by policy", deviceHash, target)

[SeanTAllen]

My worry with such a change is that the input could be updated and not reflected in the error message.

[kevpar]

We can take this to the nit PR.

[dcantah]

It seems like this "thing didn't work, here's the input to figure it out: %s" workflow is used a bunch, we might be able to just make a custom error type. Naming is up to you:

type RegoError struct {
     Reason, Input string
}

func (re *RegoError) Error() string {
    return fmt.Errorf("%s. Input: %s")
}

func NewRegoError(reason, input string) error {
        return &RegoError{reason, input}
}

[SeanTAllen]

I like this idea. It conflicts with @kevpar's idea of limiting the values in the field and not printing all of input. I'm a fan of the "we don't miss updating an error message" aspect of the current way we print input. But Kevin has a good point about formatting. I'm leaving this til tomorrow to get Matt's thoughts as there are a couple other points on this PR I can't address as I lack knowledge to know "the why" of a couple choices.

[matajoh]

I'm a huge fan of typed errors. If we want to go down that route, I believe we should have errors for each kind of failure and populate the objects with all the data in input. However, a question worth asking is what we gain for the additional maintenance burden (i.e. having to update all the error types over time as the input changes). Whatever we do, it should be motivated by the needs of the people who will be reading and fixing the errors being reported.

[BryceDFisher]

I think the more specific we can get about what broke the better in addition to the full input. Or log the full input once after listing all of the specific errors.

[dcantah]

I'm in favor of typed errors for specific domains like this, but it sounds like Kevin's suggestion for just printing the devicehash and target in errors was moved to the follow up nit PR. Let's figure out a story for this if we want to go this route there then.

[dcantah]

All of these were bumped just for the new open-policy-agent dependency?

[SeanTAllen]

Its the new dependency. Given we merely run "go mod" to update this, I can't comment on what specifically causes a given line to update.

[dcantah]

Yea it looks like that dep has quite the dependency tree.. it's definitely the one bumping containerd and grpc, and the others are likely a cascade from the new containerd version

[BryceDFisher]

Did you also run go mod tidy? I've found on past projects that there is a reduced likelihood of merge conflicts between different branches and PRs if go mod tidy is never run since the old versions are always captured and can be compared against rather than removed.

[BryceDFisher]

Ignore my comment, got myself turned around.

[dcantah]

Yea we have a CI job that should validate that the vendor dir/go.mod is matching after a go mod tidy/vendor flow. Just crazy to see so many bumps from a single dependency

[anmaxvl]

@anmaxvl when did we decide we're going to work on splitting out stuff from pkg/securitypolicy that can live in internal instead?

we can do this right after all the Rego PRs are in - in a few weeks from now.

[SeanTAllen]

I've done a number of updates here, hopefully they dont cause a lot of cascading issues with work we've already done.

If they do, then for future PRs, I'd like to do save up the small nits and do after all the core feature PRs are in. I hope that is ok with everyone. Very happy to make changes, but unless they are hugely important, I'd like to do them later so they don't conflict with code that is already written and is waiting on branches.

[kevpar]

I've done a number of updates here, hopefully they dont cause a lot of cascading issues with work we've already done.

If they do, then for future PRs, I'd like to do save up the small nits and do after all the core feature PRs are in. I hope that is ok with everyone. Very happy to make changes, but unless they are hugely important, I'd like to do them later so they don't conflict with code that is already written and is waiting on branches.

Thanks Sean, I think we can try to delay nits (such as formatting of error messages) to another PR, as long as we get that in soon. However, I'd prefer we address exporting of symbols here. The reason being that since pkg/securitypolicy is external, anything we export from there could be picked up and used elsewhere, which can make it harder to change code in the future.

That said, this package is still early, so I think we can get away with some API changes, but we should make an effort to not change exported symbols once they are introduced.

I'm pretty sure this change mostly doesn't need any exported symbols changes, but I did notice the following, can you comment on if these all need to be done (or need to be exported)?

• Renamed ErrInvalidAllowAllPolicy to ErrInvalidOpenDoorPolicy
• Removed SecurityPolicyEnforcer.EnforceMountPolicy
• Changed args of SecurityPolicyEnforcer.EnforceCreateContainerPolicy
• Added Mounts.Append
• Added StringArray
• Added a bunch of MarshalRego
• Added EnvRuleArray

[matajoh]

• Renamed ErrInvalidAllowAllPolicy to ErrInvalidOpenDoorPolicy
  This was done in consultation with Maksim, and I believe it best to have the error naming line up with the actual name of the policy enforcement class.
• Removed SecurityPolicyEnforcer.EnforceMountPolicy
  @SeanTAllen can speak to the details here, but this change needs to happen.
• Changed args of SecurityPolicyEnforcer.EnforceCreateContainerPolicy
  This is part of the change above, and they come together.
• Added Mounts.Append
  This doesn't need to be exported
• Added StringArray
  No need to be exported, we can make this change
• Added a bunch of MarshalRego
  We may be able to get away with not exporting this either, need to check a few things
• Added EnvRuleArray
  No need to export

[matajoh]

@kevpar @anmaxvl @dcantah I believe all the comments have been addressed at this point. We'd appreciate another review with an eye to squash and merge tomorrow AM (GMT).

[SeanTAllen]

Removed SecurityPolicyEnforcer.EnforceMountPolicy
Changed args of SecurityPolicyEnforcer.EnforceCreateContainerPolicy

EnforceMountPolicy was incorrectly implemented previously. As a result, there was a bug in the existing version. There was also a bug in the new version when Matt originally implemented following the old model.

Mount policy should be enforced as part of create not as a 2nd step after the create enforcement while still being part of the create step. It is part of the gating for create, not its own separate check. So, it was changed to fix bugs in both versions and get them both correctly having a single gating for create.

[dcantah]

Making notes for a nit PR: Be nice to wrap this error so we know what Marshal actually failed with

[dcantah]

Nit: Wrap this error so we know what Marshal actually failed with

[dcantah]

You get the idea for the rest of the file

[kevpar]

Fine to leave this as-is, but just so you know, (*strings.Builder).WriteString is guaranteed to always return a nil error, so I think we can remove all error handling from the marshalRego path.

[BryceDFisher]

Really the error handling should be that the length of the written string is non-zero.

[kevpar]

nit PR: More idiomatic to do:

compiled, err := ast.CompileModulesWithOpt(modules, options)
if err != nil {
    return nil, fmt.Errorf("rego compilation failed: %w", err)
}
policy.compiledModules = compiled

[BryceDFisher]

I've always kinda liked this inline style when the results of the function call don't need to be in scope longer than the if statement.

[kevpar]

We should have a comment somewhere (maybe here) describing what each of the data fields is used for.

[kevpar]

Would it be helpful to log policy.objects as a debug message? Thinking of cases where we want to know exactly what policy was produced to troubleshoot.

[kevpar]

I'm approving as-is with the understanding that the Rego policy enforcer is still a work-in-progress, and will have more revisions coming soon (including the nit PR).

[dcantah]

I'm also alright with this on the pretext some of the nits get addressed in a follow-up. LGTM

[BryceDFisher]

Requiring the mount source in the customer rego seems strange since it is forced to be a suffix wildcard with a few compiled in options for the prefix. Any change in this implementation will break all policies, and there isn't any choice the customer can make.

[BryceDFisher]

Is there a way we can differentiate between an invalid mount and a layer hash not matching?