instance config

Author: stas

src/ApiService/ApiService/ApiService.csproj

@@ -5,6 +5,7 @@
     <RestorePackagesWithLockFile>true</RestorePackagesWithLockFile>
     <OutputType>Exe</OutputType>
     <Nullable>enable</Nullable>
+    <WarningLevel>5</WarningLevel>
   </PropertyGroup>
   <ItemGroup>
     <PackageReference Include="Microsoft.Azure.Functions.Worker.Extensions.Storage" Version="5.0.0" />

src/ApiService/ApiService/Info.cs

@@ -133,6 +133,7 @@ public interface ILogTracer
     void Info(string message);
     void Warning(string message);
 
+    ILogTracer AddTag(string k, string v);
     ILogTracer AddTags((string, string)[]? tags);
 }
 
@@ -176,6 +177,11 @@ public LogTracer(Guid correlationId, IReadOnlyDictionary<string, string> tags, L
         _loggers = loggers;
     }
 
+    public ILogTracer AddTag(string k, string v)
+    {
+        return AddTags(new[] { (k, v) });
+    }
+
     public ILogTracer AddTags((string, string)[]? tags)
     {
         var newTags = new Dictionary<string, string>(Tags);

src/ApiService/ApiService/Log.cs

@@ -1,4 +1,5 @@
-public enum ErrorCode
+namespace Microsoft.OneFuzz.Service;
+public enum ErrorCode
 {
     INVALID_REQUEST = 450,
     INVALID_PERMISSION = 451,

src/ApiService/ApiService/OneFuzzTypes/Enums.cs

@@ -243,7 +243,7 @@ PoolName PoolName
     //        ) : BaseEvent();
 
 
-    //    record EventInstanceConfigUpdated(
-    //        InstanceConfig Config
-    //        ) : BaseEvent();
+    record EventInstanceConfigUpdated(
+        InstanceConfig Config
+    ) : BaseEvent();
 }

src/ApiService/ApiService/OneFuzzTypes/Events.cs

@@ -1,11 +1,15 @@
 using Microsoft.OneFuzz.Service.OneFuzzLib.Orm;
 using System;
 using System.Collections.Generic;
+using System.Text.Json.Serialization;
+
 using PoolName = System.String;
+using Endpoint = System.String;
+using GroupId = System.Guid;
+using PrincipalId = System.Guid;
 
 namespace Microsoft.OneFuzz.Service;
 
-
 /// Convention for database entities:
 /// All entities are represented by immutable records
 /// All database entities need to derive from EntityBase
@@ -15,6 +19,7 @@ namespace Microsoft.OneFuzz.Service;
 /// the "partion key" and "row key" are identified by the [PartitionKey] and [RowKey] attributes
 /// Guids are mapped to string in the db
 
+
 public record Authentication
 (
     string Password,
@@ -168,3 +173,102 @@ String InstanceName
 //    colocate: Optional[bool]
 //    ): EntityBase();
 
+
+public record AzureSecurityExtensionConfig();
+public record GenevaExtensionConfig();
+
+
+public record KeyvaultExtensionConfig(
+    string KeyVaultName,
+    string CertName,
+    string CertPath,
+    string ExtensionStore
+);
+
+public record AzureMonitorExtensionConfig(
+    string ConfigVersion,
+    string Moniker,
+    string Namespace,
+    [property: JsonPropertyName("monitoringGSEnvironment")] string MonitoringGSEnvironment,
+    [property: JsonPropertyName("monitoringGCSAccount")] string MonitoringGCSAccount,
+    [property: JsonPropertyName("monitoringGCSAuthId")] string MonitoringGCSAuthId,
+    [property: JsonPropertyName("monitoringGCSAuthIdType")] string MonitoringGCSAuthIdType
+);
+
+public record AzureVmExtensionConfig(
+    KeyvaultExtensionConfig? Keyvault,
+    AzureMonitorExtensionConfig AzureMonitor
+);
+
+public record NetworkConfig(
+    string AddressSpace,
+    string Subnet
+)
+{
+    public NetworkConfig() : this("10.0.0.0/8", "10.0.0.0/16") { }
+}
+
+public record NetworkSecurityGroupConfig(
+    string[] AllowedServiceTags,
+    string[] AllowedIps
+)
+{
+    public NetworkSecurityGroupConfig() : this(Array.Empty<string>(), Array.Empty<string>()) { }
+}
+
+public record ApiAccessRule(
+    string[] Methods,
+    Guid[] AllowedGroups
+);
+
+public record InstanceConfig
+(
+    [PartitionKey, RowKey] string InstanceName,
+    //# initial set of admins can only be set during deployment.
+    //# if admins are set, only admins can update instance configs.
+    Guid[]? Admins,
+    //# if set, only admins can manage pools or scalesets
+    bool AllowPoolManagement,
+    string[] AllowedAadTenants,
+    NetworkConfig NetworkConfig,
+    NetworkSecurityGroupConfig ProxyNsgConfig,
+    AzureVmExtensionConfig? Extensions,
+    string ProxyVmSku,
+    IDictionary<Endpoint, ApiAccessRule>? ApiAccessRules,
+    IDictionary<PrincipalId, GroupId[]>? GroupMembership,
+
+    IDictionary<string, string>? VmTags,
+    IDictionary<string, string>? VmssTags
+) : EntityBase()
+{
+    public InstanceConfig(string instanceName) : this(
+        instanceName,
+        null,
+        true,
+        Array.Empty<string>(),
+        new NetworkConfig(),
+        new NetworkSecurityGroupConfig(),
+        null,
+        "Standard_B2s",
+        null,
+        null,
+        null,
+        null)
+    { }
+
+
+    /// <summary>
+    /// Check if instance config is valid
+    /// </summary>
+    /// <returns>true, [] if instance config is valid;
+    /// otherwise false, with a list of errors</returns>
+    public (bool, List<string>) CheckInstanceConfig()
+    {
+        List<string> errors = new();
+        if (AllowedAadTenants.Length == 0)
+        {
+            errors.Add("allowed_aad_tenants must not be empty");
+        }
+        return (errors.Count == 0, errors);
+    }
+}

src/ApiService/ApiService/OneFuzzTypes/Model.cs

@@ -1,6 +1,24 @@
 namespace Microsoft.OneFuzz.Service
 {
 
+    public struct ResultOk<T_Error>
+    {
+        public static ResultOk<T_Error> Ok() => new();
+        public static ResultOk<T_Error> Error(T_Error err) => new(err);
+
+        readonly T_Error? error;
+        readonly bool isOk;
+
+        public ResultOk() => (error, isOk) = (default, true);
+
+        public ResultOk(T_Error error) => (this.error, isOk) = (error, false);
+
+        public bool IsOk => isOk;
+
+        public T_Error? ErrorV => error;
+    }
+
+
     public struct Result<T_Ok, T_Error>
     {
         public static Result<T_Ok, T_Error> Ok(T_Ok ok) => new(ok);
@@ -14,7 +32,10 @@ public struct Result<T_Ok, T_Error>
 
         public Result(T_Error error) => (this.error, ok, isOk) = (error, default, false);
 
-        public bool IsOk => IsOk;
+        public bool IsOk => isOk;
+
+        public T_Error? ErrorV => error;
+        public T_Ok? OkV => ok;
     }
 
 

src/ApiService/ApiService/OneFuzzTypes/ReturnTypes.cs

@@ -43,6 +43,7 @@ public static void Main()
             .AddSingleton<ICreds>(_ => new Creds())
             .AddSingleton<IStorage, Storage>()
             .AddSingleton<IProxyOperations, ProxyOperations>()
+            .AddSingleton<IConfigOperations, ConfigOperations>()
         )
         .Build();
 

src/ApiService/ApiService/Program.cs

@@ -31,16 +31,25 @@ public async Task Run([QueueTrigger("myqueue-items", Connection = "AzureWebJobsS
 
         var node = await _nodes.GetByMachineId(hb.NodeId);
 
+        var log2 = log.AddTag("NodeId", hb.NodeId.ToString());
+
         if (node == null)
         {
-            log.Warning($"invalid node id: {hb.NodeId}");
+            log2.Warning($"invalid node id: {hb.NodeId}");
             return;
         }
 
         var newNode = node with { Heartbeat = DateTimeOffset.UtcNow };
 
-        await _nodes.Replace(newNode);
+        var r = await _nodes.Replace(newNode);
+
+        if (!r.IsOk)
+        {
+            var (status, reason) = r.ErrorV;
+            log2.Error($"Failed to replace heartbeat info due to [{status}] {reason}");
+        }
 
+        // TODO: do we still send event if we fail do update the table ?
         await _events.SendEvent(new EventNodeHeartbeat(node.MachineId, node.ScalesetId, node.PoolName));
     }
 }

src/ApiService/ApiService/QueueNodeHearbeat.cs

@@ -30,14 +30,20 @@ public async Task Run([QueueTrigger("myqueue-items", Connection = "AzureWebJobsS
 
         var proxy = await _proxy.GetByProxyId(newHb.ProxyId);
 
+        var log2 = log.AddTag("ProxyId", newHb.ProxyId.ToString());
+
         if (proxy == null)
         {
-            log.AddTags(new[] { ("Proxy ID", newHb.ProxyId.ToString()) }).Warning($"invalid proxy id: {newHb.ProxyId}");
+            log2.Warning($"invalid proxy id: {newHb.ProxyId}");
             return;
         }
         var newProxy = proxy with { heartbeat = newHb };
 
-        await _proxy.Replace(newProxy);
-
+        var r = await _proxy.Replace(newProxy);
+        if (!r.IsOk)
+        {
+            var (status, reason) = r.ErrorV;
+            log.Error($"Failed to replace proxy heartbeat record due to [{status}] {reason}");
+        }
     }
 }